A few days ago, I reported on the disclosure by security researchers Talal Haj Bakry and Tommy Mysk that the clipboards on iPhones and iPads are open to exploitation by “malicious” apps on those devices to “steal” any data copied to the clipboard. Apple takes the view that this is simply the copy and paste function working as normal, but it does seem to open a security vulnerability that may surprise users.
Apparently, the risk extends beyond iPhones and iPads. The researchers have now returned, telling me “we hinted in our article that the Universal Clipboard can also be affected by this vulnerability to eavesdrop on what users copy on their Macs.” And that would be an issue. Because, while the use of copy and paste might be relatively infrequent on an iOS device, it is everyday business as usual on a Mac.
The risk arises because, as Apple explains, you can use the Universal Clipboard “to copy and paste between your Apple devices—you can copy content such as text, images, photos, and videos on one Apple device, then paste the content on another.”
“We got many requests about this point,” the researchers told me on February 26, “so we added a video illustrating how an iPhone or iPad app can eavesdrop on the clipboard on Mac.”
“We submitted this to Apple on January 2, 2020,” the researchers explained in their original blog. “After analyzing the submission, Apple informed us that they don’t see an issue with this vulnerability.” I have contacted Apple for any further comments.
The risk requires a foreground app on the iOS device. The researchers “increased the likelihood the app can read the pasteboard” by creating a widget in the Today View, “hence expanding the vulnerability window.”
The blog itself focuses on the risk that a malicious actor might craft an app to spy on the clipboard and then access the metadata attached to a photo taken on the device. As Sophos explained, “a malicious apps could exploit it to work out a user’s location even when that user has locked down app location sharing.” However, the risk that data copied on a Mac might be sniffed out by a malicious app on an attached iOS device seems more of an issue from an exploit perspective.
The advice to Apple from the researchers remains the same: remove unrestricted access to the clipboard—the privacy settings in the latest versions of iOS could include a setting to grant clipboard access by app. Or, as an alternative, restrict clipboard access to “when the user actively performs a paste operation.”
As I said in my original report, this is only a potential security hole with no claim that it has been exploited in the wild. “but, with state sponsored threat groups and organized criminal networks attacking operating systems as a matter of routine, any potential flaw provides a starting point for an exploit.” My bet remains that Apple will address this in a future release and patch this hole.